Question: Aside from eliminating sensitive data from your business process, what are two things you can do to eliminate much of the risk of a data-breach?
Answer: Application Level Encryption and Strong Authentication.
Longer Answer: While we all recognize that encrypting sensitive data can protect you, most people – even in the security business – don’t realize that not all encryption is equal. Even if using NIST-approved algorithms with the largest key-sizes available, data can still get breached. How is that possible?
When encrypting data, all else being equal from a cryptographic point-of-view, two design decisions matter: 1) Where is data being cryptographically processed? and 2) How are cryptographic keys managed?
If data is encrypted/decrypted in any part of the system – the hard-disk drive, operating system, database, etc. – other than the business application using that data, significant residual risks remain despite the encryption. An attacker need only compromise a software layer above the encrypting-layer to see unencrypted (plaintext) data. Since the application layer is the highest layer in the technology stack, this makes it the most logical place to protect sensitive data as it affords the attacker the smallest target. This also ensures that, once data leaves the application layer, it is protected no matter where it goes (and conversely, must come back to the application layer to be decrypted).
The second design-decision of encryption is how you protect cryptographic keys. If you use a general-purpose file, keystore, database or device to store your keys, this would be the equivalent of leaving company cash in a general-purpose desk or drawer. Much as you need a safe to store cash in a company, you need a purpose-built “key-management” solution designed with hardened security requirements to protect cryptographic keys. These solutions have controls to ensure that, even if someone gains physical access to the device, gaining access to the keys will be very hard to near impossible. If the key-management system cannot present sufficiently high barriers, even billion-dollar companies can fail to protect sensitive data – as many did this year and continue to do so even as I’m writing this!
While cryptography tends to get complex and the details might seem burdensome, it is important to recognize that an encryption solution provides the last bastion of defence against determined attackers; it is well worth a company’s time to give it the proper attention and not attempt to invent it themselves.
Conversely, the first line of defence should be strong-authentication. Strong-authentication is the ability to use different cryptographic keys combined with secure hardware (in the possession of the user) to confirm that the user is who they claim to be. While digital certificates on smartcards provided such capability for over two decades, they are expensive, and not easy to use and support even in highly technical environments. A standards group (fidoalliance.org) is attempting to simplify this problem; some early solutions have already made it to market this year with successful deployments under way.
Between application-level-encryption on the back-end and strong-authentication on the front-end, even if an attacker managed to slip past network defences – as they always seem to do – they will have little wiggle-room to compromise sensitive data. While no security technology is absolutely fool-proof, implemented correctly, ALESA raises the bar sufficiently high to “encourage” the vast majority of attackers to move onto easier targets.